Episode #105: Anatomy of an Email Scam
A step-by-step, illustrated guide to show how hackers steal your data
A.I. Notification: No part of this episode was written, edited, or image-created by artificial intelligence.
The (Extremely Attractive) Bait
I got an email earlier in this week that I 100% knew was a scam.
I followed it anyway. Safely, of course. I do this because sometimes, the scam is good enough for me to share as a teaching tool for my readers.
This week’s scam qualified. Trust me: you’re gonna want to read this entire episode and bookmark it for later.
How The Scam Is Designed to Look Legit
Let’s break down what I saw in this email by the numbers:
An official looking email reply-to address
The actual DocuSign logo
The real “Powered by DocuSign” statement and
The real DocuSign privacy warning
Not bad. Sure, there are giveaways. The “view completed document” text doesn’t show correctly (bottom green arrow) and - in my case - the fact that it went to my spam folder (top green arrow). But still…
It’s a good forgery. I know that because here’s an ACTUAL DocuSign email I received several years ago. The resemblance is striking.
This time - for you, my dear readers - I clicked the links in the scam email to see where it lead me. Before I show you the rest, an important note:
An Important Note
It’s crucial that you understand three things:
Please don’t do this yourselves. If your computer, security & privacy tools, and internet connection aren’t all secured and protected in the right ways, this is one of the dumbest things that you can do to yourselves. Just don’t do it.
I only used several, brand-new and un-used email addresses to test this scam. I didn’t use any of my active email accounts to do this, because…
You should NEVER use your personal email address for logging onto any website other than your email. EVER. I explained this waaaaaaay back in Episode #3. TL;DR - if you need a ton of free, easily-customizable emails, please use 33mail.com (affiliate link here).
Are we all clear on this?
Good. Then let’s see what happened to me.
The (Extremely Masterful) Switch
I’ll be honest: the bait and switch on this one was impressive. The incredible detail and work that went into this must be seen to be believed. Somebody went to extraordinary measures to ensure that this scam looked and behaved like a Microsoft website.
I did a screen recording of what happened to me, so that you can watch safely. Go full screen if you can on this and have a gander and what these black-hat hackers put together:
It’s stunning.
These clever asshats found a way to make it look like their website required me to use the (very) legit Cloudflare platform. This is why you saw that I had to click a button to “prove” that I was a human before the scam continued.
Then, the pièce de résistance: they copied the Microsoft login animation to make their bogus webpage look nearly identical to Microsoft’s.
You gotta tip your cap. This is first-rate work. Yes, it’s the first-rate work of thieves, but still: it’s very impressive stuff.
Since I was now facing a login prompt, there was only one thing left to do…
How Deep is this Rabbit Hole?
Before I go any further, I want you to have a good look at this image showing the webpage where this scam lead me:
On closer examination, I’m hopeful that some of you can find the evidence that this webpage is a scam. Can you see anything unusual?
Take a moment. Scroll back up and look. Do you see any red flags?
Look closely, because there are two immediate red flags in this image that should warn you to stay away from this site.
Got ‘em yet?
If not, scroll down a bit more and I’ll show you:
.
.
.
.
.
OK, ready?
NEVER MIND that this webpage LOOKS like a Microsoft login page.
It isn’t.
The first red-flag is the site’s address or URL. Practice always checking the URL. In this case, it points to pulsesphere.ru, not Microsoft.com. That’s a hint that you’re getting scammed. By the way, if the .ru suffix looks weird — it’s not .com or .net!! — it’s the country suffix for Russian websites.
The second red flag is the page title. That’s the word or words which appear in the tab of your web browser. Check out the green rectangle in my animated gif above and there, you’ll see this page’s title: “obnoxious”. Fun, right?
By the way, there’s another, bonus red flag embedded into the URL. Do you see the words “BASE64” there? Good. Base64 is an encoding scheme. Ooops.
The Scam is Revealed
I logged in to this fascinating “Microsoft” website using several, just-created outlook.com email addresses.
When I clicked “Sign In”, can you guess what happened? On screen: not much. Just an alert that there’d been an error with my username or password. So I tried a second time with a second, bogus outlook.com email account. The results were the same.
So crisis averted, right?
Um, no. You’re already fucked.
You’ve Been Scammed
You see, friends, the fake Microsoft website I tried to log in to was NOT designed to take me to another web page. It was designed to get me to enter my Microsoft username and password. My credentials.
And it did that job extremely well.
So well, in fact, that it captured my information and sent it off to Russia. Now you may be asking, “Wait: how do you actually know that?!”
How I Actually Know That
OK, some background: once our computers and smart devices are connected to the Internet, they constantly send and receive data. These small pieces of data are called “packets”.
This is not only normal: it’s required. Most every application and operating system communicates from company servers to your devices. This helps deliver you services that you want, like, and need as part of your interconnected, digitla life.
Again, 100% normal. But…
Most people don’t know about this. Others, that do, take for granted that it’s happening because, in truth, we usually have no idea what our devices are sending out to or receiving from the rest of the world at any given time.
But we can find out how — and to whom — our devices are communicating.
Enter, one of my favorite category of tools: “Packet Sniffers”. I know: creepy name. The most well known packet sniffer is an app called Wireshark. It is free and available to download and learn about here if you’re inclined.
I installed Wireshark and activated it BEFORE I clicked the link in the scam email. That meant, the application was watching what was being sent to & received from my computer in real time. Neat.
Here’s what it found:
In the image, focus on the lines that I’ve highlighted in blue and the text that I put in red rectangles.
See the website associated with these blue entry lines in Wireshark? They all point to a website named syncvibe.ru which you most definitely should NOT go to, now or ever. That’s because it’s a scam according to sites like WebTrustScan and Scam Detector, which gave it a whopping 8.6 out of 100.
The Summary
In short, here’s what’s happened:
I clicked on the link in the email I received, something known as a phishing scam.
That link led me to the scam’s initial webpage located at “https://pulsesphere.ru/cDkNb/#YEMAILBASE64”,
That page showed me a fake Microsoft login portal.
Once I (or anyone) enters their login information, that data is sent to the bogus “syncvibe.ru” website. There, I assume, my data (and others’) is collected and then sold on the dark web.
Fancy.
Key Takeaways
Hackers and scammers will go to extraORDINARY lengths to part you from your money, time, and data. Therefore…
It doesn’t matter how real the website looks: always check the URL (or the website address) to confirm that it is what you think it is.
If your Spidey Sense tells you that it’s a scam: TRUST THAT IT IS and walk away.
NEVER, EVER, EVER use your personal email address - the one you use to email your family and friends - as a login for any website other than your actual email account webpage.
Of course, there are many fabulous security and privacy tools to consider if you’re looking to up your game and “harden” your technology against the threat of malicious hacking. Readers of mine have heard me talk endlessly about the benefits of:
The service I use to delete my data from the web: DeleteMe (affiliate link)
The VPN software that I use to encrypt my connection to the Internet no matter what wireless network I’m on: Nord VPN (affiliate link)
The email anonymizer that I use to help me create endless, customizable email addresses, so I can use THOSE instead of my personal email address: 33Mail (affiliate link)
The secure router I use at my home that runs on its own Linux operating system, making it harder to hack than most Linksys & Netgear routers on the market: Synology RT6600ax (affiliate link)
Of course, there are other tools. But these are the ones I use daily. You can too.
Hope you enjoyed this one. Be safe out there now, ya here?
And that’s a wrap for today’s episode, everyone. Thanks for being a part of our community and, as always… surf safe! 👍🏼 👌🏾
Popular Past Issues:
Which secure routers to purchase and WHY.
My recommendations on the best VPN providers.
My favorite, free tool to keep email addresses private.
A crash course on keeping your devices updated.